[Letsencrypt-devel] Bug#854431: dehydrated: please chown/chmod *.pem to root:ssl-cert
Matteo F. Vescovi
mfv at debian.org
Sat Jul 1 12:49:08 UTC 2017
On 2017-02-07 at 05:42 (GMT), Adam Borowski wrote:
[...]
> Hi!
> Currently, dehydrated creates both the parent directories and certs/privkeys
> it outputs with permissions for root only. This works for daemons that load
> everything as root (apache, etc) but not for those that drop privileges early
> (exim, postgres, etc).
>
> As far as I know, the recommended way to do so is adding the daemons to
> group ssl-cert which is created by some (but not all) ssl key generating
> packages; those which do make /etc/ssl/private/ readable by that group.
>
> I think it'd be a good idea for dehydrated to support this group by default:
> * directories as root:ssl-cert mode 710
> * .pem files as root:ssl-cert mode 640
+1 on my side, too.
Cheers.
--
Matteo F. Vescovi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 987 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/letsencrypt-devel/attachments/20170701/615a5593/attachment.sig>
More information about the Letsencrypt-devel
mailing list